Recent papers and presentations offer new updates and perspectives on how DNS and DNSSEC are evolving. Here are three sources of useful information on DNSSEC deployment:
- Presentations from the recent DNS Easy 2011 Workshop at the Global Cyber Security Center in Rome, held in October, are now online, including those on evolution in the DNS, potential impact of failure in DNSSEC validation, DNSSEC automation and monitoring and more. Presenters included representatives from China, Italy, Japan, the Netherlands, and the U.S.
- Minimizing Information Leakage in the DNS, by Scott Rose and Anastase Nakassis of the U.S. National Institute of Standards and Technology addresses signed DNS nodes, which have “an unfortunate side effect of signed DNS nodes: an attacker can query them as reconnaissance before attacking individual hosts on a particular network.” The paper offers options for minimizing zone information leakage while retaining the benefits of DNSSEC-signed zones.
- DANE: Taking TLS Authentication to the Next Level Using DNSSEC, by Richard L. Barnes, appears in the most recent issue of the IETF Journal. It notes that, “while DANE holds the promise of more direct authentication, it will also create some new security challenges” and require DNS operators to “play a more critical role in securing applications.” The journal editor noted “The advent of DNSSEC deployment raises the intriguing possibility of using the DNS as a secure repository for certificates in the future. In our cover article, Richard Barnes offers a detailed overview of the DANE working group’s efforts to make this possibility a technical reality.”